SharePoint Zero-Day CVE-2025-53770: Patch Now

A critical zero-day vulnerability in on-premises Microsoft SharePoint Server — CVE-2025-53770 — allows attackers to execute code on your server remotely, without authentication. If your business runs SharePoint on-premises and hasn’t applied the July 2025 patch, your server is exposed right now.

Here’s what the vulnerability does, who’s affected, and exactly how to secure your systems.

What Is CVE-2025-53770?

A zero-day is a vulnerability that attackers exploit before the vendor releases a fix. CVE-2025-53770 is a Remote Code Execution (RCE) flaw — meaning an attacker can run arbitrary commands on your SharePoint server from anywhere in the world, without needing credentials.

The attack exploits a flaw in how SharePoint handles deserialization — the process of converting incoming data back into objects the server can use. A specially crafted request tricks SharePoint into executing malicious code during this process.

Once inside, attackers can:

• Steal cryptographic keys — gaining persistent access to your entire environment
• Install web shells — hidden backdoors for ongoing access
• Exfiltrate data — copying databases, documents, and credentials to external servers

Microsoft’s Security Response Center has published full details and the patch for affected versions.

Who Is Affected?

If you use SharePoint Online (Microsoft 365), you are not affected. Microsoft manages those servers directly and has already applied the fix.

You are affected if you run any of these on-premises:

• SharePoint Server 2016
• SharePoint Server 2019
• SharePoint Server Subscription Edition

Many Solano County businesses still run on-premises SharePoint — often a physical server in a back closet or a rented data center. If your SharePoint instance hasn’t been patched since before July 2025, it is vulnerable to this exploit.

How to Secure Your Server

1. Apply the July 2025 Security Patch

This is the most critical step. Microsoft released the fix in July 2025. Every day unpatched is a day your server is an open target.

2. Rotate Machine Keys

Even after patching, if an attacker already accessed your server, they may have stolen your cryptographic machine keys. Generate new keys immediately to revoke any stolen access.

3. Scan for Web Shells

Web shells are small scripts attackers leave behind as backdoors. Check the /_layouts/ directory and other web-accessible folders for unfamiliar files. Use CISA’s threat advisory resources for detection guidance.

4. Evaluate Moving to SharePoint Online

For many small businesses, migrating to SharePoint Online eliminates the burden of manual patching, server maintenance, and physical security.

Why “Set It and Forget It” Fails

We’ve worked with Solano County businesses since 2008, and the pattern is consistent: servers that aren’t actively managed get breached.

Key warning signs that your server may already be compromised:

• Outbound connections to unfamiliar IP addresses, especially at odd hours
• New or modified files in web-accessible directories you didn’t create
• Unexpected spikes in CPU or network usage
• User accounts you don’t recognize

Proactive monitoring catches these anomalies before they become full-blown breaches. Unpatched servers are a primary entry point for ransomware operations like LockBit. This is exactly what managed IT services are built for.

The Cost of Doing Nothing

A compromised SharePoint server doesn’t just mean lost files. It means:

• Operational shutdown — staff can’t access documents, projects stall
• Client trust damage — a data breach notification can permanently hurt your reputation
• Regulatory exposure — breach reporting requirements carry real penalties
• Recovery costs — forensic investigation, data restoration, and system rebuilds add up fast

For more on protecting your business from evolving threats, read our posts on 7 security mistakes that invite malware and AI-powered phishing attacks targeting Solano County.

Take Action Today

If you’re not 100% sure your SharePoint server is patched, don’t guess — verify. We can audit your current setup, apply critical patches, scan for indicators of compromise, and help you plan a migration to the cloud if it makes sense.

Check out our Business Essentials page for more security fundamentals.

Ready to secure your infrastructure? Book a consultation or contact us to get started.